AWS Control Tower is tightly integrated with several other native AWS services including AWS Cloudformation, AWS SSO, and AWS Service Catalog. In this section we will explore the integrations.
AWS Control Tower uses AWS CloudFormation StackSets to establish the baselines and create the guardrails across multiple accounts and regions.
When you open the Cloudformation Stacksets console in the management account you will see the following stacksets for Control Tower:
|StackSet name||StackSet description|
|AWSControlTowerBP-BASELINE-CLOUDTRAIL||Configure AWS CloudTrail on all accounts|
|AWSControlTowerBP-BASELINE-CLOUDWATCH||Configure Cloudwatch Rule, local SNS Topic, forwarding notifications from local SNS Topic to Security Topic|
|AWSControlTowerBP-BASELINE-CONFIG||Configure AWS Config on all accounts/regions|
|AWSControlTowerBP-BASELINE-ROLES||Creates all required baseline roles on all the accounts|
|AWSControlTowerBP-BASELINE-SERVICE-ROLES||Creates all required service roles on all the accounts for services (like AWS Config, SNS) used by CT|
|AWSControlTowerBP-SECURITY-TOPICS||Central monitoring and alerting using SNS and AWS CloudWatch|
|AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED||Configure AWS Config rules on core accounts to check that your S3 buckets do not allow public access|
|AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED||Configure AWS Config rules on core accounts to check that your S3 buckets do not allow public access|
|AWSControlTowerGuardrailAWS-GR-S3-BUCKET-PUBLIC-READ-PROHIBITED||StackSet for applying guardrail|
|AWSControlTowerGuardrailAWS-GR-S3-BUCKET-PUBLIC-WRITE-PROHIBITED||StackSet for applying guardrail|
|AWSControlTowerLoggingResources||StackSet to setup required resources on Log archive Account|
|AWSControlTowerSecurityResources||StackSet to setup required resources on Audit Account|
|AWSControlTowerBP-VPC-ACCOUNT-FACTORY-V1||Once the Account is provisioned this stack will be run to setup account configuration based on the baselines (Can be seen only if you create an Account with Network baselines, you will not see it in this lab)|
You may see additional stacksets depending on the number of guardrails you enable on Control Tower.
AWS SSO provides a cloud native directory for granting access to users to all the AWS accounts within the Control Tower environment.
During the initial installation of Control Tower, the AWS SSO directory was created and a default AWS Control Tower Admin user was created with administrative rights to the Shared accounts. Also included are a few other common groups and permission sets that can be used to grant the appropriate level of permissions for your users. Additionally, you can create custom groups and permission sets as required by your organization.
Following are the list of pre-defined groups in AWS SSO
|AWSAccountFactory||Read-only access to account factory in AWS Service Catalog for end users|
|AWSAuditAccountAdmins||Admin rights to cross-account audit account|
|AWSControlTowerAdmins||Admin rights to AWS Control Tower core and provisioned accounts|
|AWSLogArchiveAdmins||Admin rights to log archive account|
|AWSLogArchiveViewers||Read-only access to log archive account|
|AWSSecurityAuditors||Read-only access to all accounts for security audits|
|AWSSecurityAuditPowerUsers||Power user access to all accounts for security audits|
|AWSServiceCatalogAdmins||Admin rights to account factory in AWS Service Catalog|
Following are the list of pre-defined permission sets in AWS SSO
|AWSReadOnlyAccess||This policy grants permissions to view resources and basic metadata across all AWS services|
|AWSPowerUserAccess||Provides full access to AWS services and resources, but does not allow management of Users and groups|
|AWSServiceCatalogAdminFullAccess||Provides full access to AWS Service Catalog admin capabilities|
|AWSOrganizationsFullAccess||Provides full access to AWS Organizations|
|AWSAdministratorAccess||Provides full access to AWS services and resources|
|AWSServiceCatalogEndUserAccess||Provides access to the AWS Service Catalog end user console|
With the release of version 2 of the AWS CLI, you are able to integrate CLI credentials with AWS SSO to eliminate the need for importing Access Key information from the AWS SSO user portal. This implementation allows all users of AWS Control Tower to authenticate with AWS SSO at the command line and be granted permissions to the AWS account they wish to work with based on the profile they select during login.
The full documentation and implementation instruction are in the AWS Command Line Interface User Guide
AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS. These IT services can include everything from virtual machine images, servers, software, and databases to complete multi-tier application architectures. AWS Service Catalog allows you to centrally manage deployed IT services and your applications, resources, and metadata. This helps you achieve consistent governance and meet your compliance requirements, while enabling users to quickly deploy only the approved IT services they need.
For more information please use the AWS Service Catalog workshop
Copyright 2021, Amazon Web Services, All Rights Reserved.